Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Yong Chen,Xu Wang,Peng Hu,Dezhong Peng

DOI: https://doi.org/10.1016/j.knosys.2022.110023

2022-01-01

Abstract:Deep neural networks are vulnerable to interference categories, which can deceive trained models with imperceptible adversarial perturbations. More crucially, the transferability of adversarial samples has been confirmed, specifically, an adversarial sample crafted against a source agent model can transfer to other target models, which results in the adversary posing a security threat to applications in black -box scenarios. However, the existing transfer-based attacks merely consider a single agent model to create the adversarial samples, leading to poor transferability. In this paper, we propose a novel attack method called Multiagent Attacks Generate Interferential Category via GAN (MagicGAN). Specifically, to avoid the adversarial samples overfitting a single source agent, we design a multiagent discriminator, which can fit the decision boundaries of the various target models to provide more diversified gradient information for the generation of adversarial perturbations. Therefore, the generalization of our method is effectively improved, that is, the adversarial transferability of the adversarial sample is enhanced. In addition, to avoid the pattern collapse of the GAN-based adversarial approach, we construct a novel latent data distance constraint to enhance the compatibility between the latent adversarial sample distances and the corresponding data adversarial sample distances. Therefore, MagicGAN can more effectively generate a distribution close to the adversarial data. Extensive experiments on CelebA, CIFAR-10, MNIST and ImageNet fully validate the effectiveness and superiority of our proposed method. (c) 2022 Elsevier B.V. All rights reserved.

Jiangfan Han,Xiaoyi Dong,Ruimao Zhang,Dongdong Chen,Weiming Zhang,Nenghai Yu,Ping Luo,Xiaogang Wang

DOI: https://doi.org/10.1109/iccv.2019.00526

2019-01-01

Abstract:Modern deep neural networks are often vulnerable to adversarial samples. Based on the first optimization-based attacking method, many following methods are proposed to improve the attacking performance and speed. Recently, generation-based methods have received much attention since they directly use feed-forward networks to generate the adversarial samples, which avoid the time-consuming iterative attacking procedure in optimization-based and gradient-based methods. However, current generation-based methods are only able to attack one specific target (category) within one model, thus making them not applicable to real classification systems that often have hundreds/thousands of categories. In this paper, we propose the first Multi-target Adversarial Network (MAN), which can generate multi-target adversarial samples with a single model. By incorporating the specified category information into the intermediate features, it can attack any category of the target classification model during runtime. Experiments show that the proposed MAN can produce stronger attack results and also have better transferability than previous state-of-the-art methods in both multi-target attack task and single-target attack task. We further use the adversarial samples generated by our MAN to improve the robustness of the classification model. It can also achieve better classification accuracy than other methods when attacked by various methods.

Yifeng Li,Ya Zhang,Rui Zhang,Yanfeng Wang

DOI: https://doi.org/10.1145/3376067.3376112

2019-01-01

Abstract:Despite their superior performance in computer vision tasks, deep neural networks are found to be vulnerable to adversarial examples, slightly perturbed examples that can mislead trained models. Moreover, adversarial examples are often transferable, i.e., adversaries crafted for one model can attack another model. Most existing adversarial attack methods are iterative or optimization-based, consuming relatively long time in crafting adversarial examples. Besides, the crafted examples usually underfit or overfit the source model, which reduces their transferability to other target models. In this paper, we introduce the Generative Transferable Adversarial Attack (GTAA), which generate highly transferable adversarial examples efficiently. GTAA leverages a generator network to produce adversarial examples in a single forward pass. To further enhance the transferability, we train the generator with an objective of making the intermediate features of the generated examples diverge from those of their original version. Extensive experiments on challenging ILSVRC2012 dataset show that our method achieves impressive performance in both white-box and black-box attacks. In addition, we verify that our method is even faster than one-step gradient-based method, and the generator converges extremely rapidly in training phase.

Mingxing Duan,Kailun Jiao,Siyang Yu,Zhibang Yang,Bin Xiao,Kenli Li

DOI: https://doi.org/10.1109/tifs.2024.3356812

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:One area of current research on adversarial attacks is how to generate plausible adversarial examples when only a small number of datasets are available. Current adversarial attack algorithms used to attack these black-box systems face a number of challenges, such as difficulty in training convergence, ambiguous sample images, substitute models collapse, unsatisfactory attack success rates, high query cost, and low defense capability improvement of target models. As a result, constructing plausible adversarial situations in a few known real-world sample circumstances remains difficult. As a solution to the aforementioned issues, this study introduces MC-Net, a novel multi-stage and multi-class balanced generating method based on a limited number of samples to generate realistic adversarial examples. Firstly, a multi-task learning approach is used to train the GAN by fully utilizing the small samples, ensuring that the size of the generated dataset for each category is balanced. In addition, we design a weight-balancing strategy to ensure faster convergence of each sub-network. Then, in the second stage, the generated samples of different categories are used to train a substitute model, and the distillation method is adopted to learn the output distribution of the target model. Finally, adversarial examples are constructed on the generated samples to complete the attack on the target models. Extensive experiments have proven that MC-Net has the following advantages: 1) The substitute model converges quickly using limited samples and queries; 2) High attack success rates can be obtained with a few queries; and 3) The constructed adversarial examples significantly improve the target model's defense. Furthermore, we only utilize a few queries for the Microsoft Azure online model to obtain a satisfactory result. Our code can be found at https://github.com/jiaokailun/A-fast.

computer science, theory & methods,engineering, electrical & electronic

Shao Mingwen,Liu Shuqi,Wang Ran,Zhang Gaozhi

DOI: https://doi.org/10.1007/s13042-021-01374-w

2021-01-01

International Journal of Machine Learning and Cybernetics

Abstract:In recent years, the development of deep neural networks is in full gear in the fields of computer vision, natural language processing, and others. However, the existence of adversarial examples brings risks to the completion of these tasks, which is also a huge obstacle to implement deep learning applications in the real world. In order to solve the aforementioned problems and improve the robustness of neural networks, a novel defense network based on generative adversarial networks (GANs) is proposed. First, we use generators to eliminate disturbances of adversarial samples and utilize multi-scale discriminators to classify images of different scales to better assist the generator to produce high-quality images. Then, we utilize salient feature extraction model to extract salient maps of both clean examples and adversarial samples, thus improving the denoising effect of the generator by reducing the difference between salient images. The proposed method can guide the generation networks to accurately remove the invisible disturbance and to restore the adversarial samples to clean samples, which not only improves the success rate of classification, but also achieves satisfactory defense effect. Extensive experiments are conducted to compare the defense effect of our proposed method with other defense methods against various attacks. Results show that our method has strong defensive capabilities against the tested attack methods.

Yan Liu,Wei Yang,Xueyu Zhang,Yi Zhang,Liusheng Huang

2019-01-01

Abstract:State-of-the-art deep neural networks have achieved impressive results on many image classification tasks. However, these neural networks consistently misclassify adversarial examples that humans can clarify correctly classified, the adversarial examples result in the model outputting an incorrect answer with high confidence. Therefore, a black box attack method for efficiently generating a large number of adversarial samples using GAN is proposed. These attack samples are very similar to real images and can fool deep neural networks. Extensive experimental results show that our approach perform well in the task of generate samples of adversarial attacks.

Xiaosen Wang,Kun He,Chuanbiao Song,Liwei Wang,John E. Hopcroft

DOI: https://doi.org/10.48550/arXiv.1904.07793

2019-04-16

Computer Vision and Pattern Recognition

Abstract:Despite the rapid development of adversarial machine learning, most adversarial attack and defense researches mainly focus on the perturbation-based adversarial examples, which is constrained by the input images. In comparison with existing works, we propose non-constrained adversarial examples, which are generated entirely from scratch without any constraint on the input. Unlike perturbation-based attacks, or the so-called unrestricted adversarial attack which is still constrained by the input noise, we aim to learn the distribution of adversarial examples to generate non-constrained but semantically meaningful adversarial examples. Following this spirit, we propose a novel attack framework called AT-GAN (Adversarial Transfer on Generative Adversarial Net). Specifically, we first develop a normal GAN model to learn the distribution of benign data, and then transfer the pre-trained GAN model to estimate the distribution of adversarial examples for the target model. In this way, AT-GAN can learn the distribution of adversarial examples that is very close to the distribution of real data. To our knowledge, this is the first work of building an adversarial generator model that could produce adversarial examples directly from any input noise. Extensive experiments and visualizations show that the proposed AT-GAN can very efficiently generate diverse adversarial examples that are more realistic to human perception. In addition, AT-GAN yields higher attack success rates against adversarially trained models under white-box attack setting and exhibits moderate transferability against black-box models.

Mingxing Duan,Kenli Li,Jiayan Deng,Bin Xiao,Qi Tian

DOI: https://doi.org/10.1145/3506852

2022-01-01

Abstract:Deep learning models are widely used in daily life, which bring great convenience to our lives, but they are vulnerable to attacks. How to build an attack system with strong generalization ability to test the robustness of deep learning systems is a hot issue in current research, among which the research on black-box attacks is extremely challenging. Most current research on black-box attacks assumes that the input dataset is known. However, in fact, it is difficult for us to obtain detailed information for those datasets. In order to solve the above challenges, we propose a multi-sample generation model for black-box model attacks, called MsGM. MsGM is mainly composed of three parts: multi-sample generation, substitute model training, and adversarial sample generation and attack. Firstly, we design a multi-task generation model to learn the distribution of the original dataset. The model first converts an arbitrary signal of a certain distribution into the shared features of the original dataset through deconvolution operations, and then according to different input conditions, multiple identical sub-networks generate the corresponding targeted samples. Secondly, the generated sample features achieve different outputs through querying the black-box model and training the substitute model, which are used to construct different loss functions to optimize and update the generator and substitute model. Finally, some common white-box attack methods are used to attack the substitute model to generate corresponding adversarial samples, which are utilized to attack the black-box model. We conducted a large number of experiments on the MNIST and CIFAR-10 datasets. The experimental results show that under the same settings and attack algorithms, MsGM achieves better performance than the based models.

Hao Fang,Jiawei Kong,Bin Chen,Tao Dai,Hao Wu,Shu-Tao Xia

2024-10-03

Abstract:Transferable targeted adversarial attacks aim to mislead models into outputting adversary-specified predictions in black-box scenarios. Recent studies have introduced \textit{single-target} generative attacks that train a generator for each target class to generate highly transferable perturbations, resulting in substantial computational overhead when handling multiple classes. \textit{Multi-target} attacks address this by training only one class-conditional generator for multiple classes. However, the generator simply uses class labels as conditions, failing to leverage the rich semantic information of the target class. To this end, we design a \textbf{C}LIP-guided \textbf{G}enerative \textbf{N}etwork with \textbf{C}ross-attention modules (CGNC) to enhance multi-target attacks by incorporating textual knowledge of CLIP into the generator. Extensive experiments demonstrate that CGNC yields significant improvements over previous multi-target generative attacks, e.g., a 21.46\% improvement in success rate from ResNet-152 to DenseNet-121. Moreover, we propose a masked fine-tuning mechanism to further strengthen our method in attacking a single class, which surpasses existing single-target methods.

Computer Vision and Pattern Recognition

Jiameng Pan,Xiaoguang Zhu,Peilin Liu

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892178

2022-01-01

Abstract:Massive accessible personal data on the Internet raises the risk of malicious retrieval. In this paper, we propose to conceal the images with the targeted adversarial attacks on content-based image retrieval. An imperceptible perturbation is added to the original image to generate adversarial examples, making the retrieval results similar to the target image but look completely different. Previous work on the targeted attack for image retrieval only introduces a target-specific model and needs to train the model each time for new targets. We extend the attack adaptability by exploiting the target images as conditional input for the generative model. The proposed Adaptive Targeted Attack Generative Adversarial Network (ATA-GAN) is a GAN-based model with a generator and discriminator. The generator extracts the features of origin and target, then uses the Feature Integration Module to explore the relation between the target and original image to ignore the origin feature while paying more attention to the target. Simultaneously, the discriminator distinguishes the realness and ensures the adversarial example is similar to the origin. We evaluate and analyze the performance of the adaptive targeted attack on popular retrieval benchmarks.

Donghua Wang,Li Dong,Rangding Wang,Diqun Yan,Jie Wang

DOI: https://doi.org/10.1109/ACCESS.2020.3006130

IF: 3.9

2020-01-01

IEEE Access

Abstract:Although neural network-based speech recognition models have enjoyed significant success in many acoustic systems, they are susceptible to be attacked by the adversarial examples. In this work, we make first step towards using generative adversarial network (GAN) for constructing the targeted speech adversarial examples. Specifically, we integrate the target speech recognition network with GAN framework, which can then be formulated as a three-party game. The generator in GAN aims at generating perturbation that could make the target network misclassified to a specific target, while simultaneously fooling the discriminator treating the adversarial example as a beguine one. The discriminator is to distinguish the crafted examples from the geniue samples. The classification error of the target network is back-propagated via gradient flow to the generator for updating. The target network is responsible for back-propagating the classification error via gradients to the generator for updating, but the target network itself is freezed. With the carefully designed network architecture, loss function and training strategy, we successfully train a generator that could generate the adversarial perturbation for a given speech clip and a target label. Experiential results show that the generated adversarial examples could effectively fool the state-of-the-art speech classification networks, while attaining an acceptable auditory perception quality. In addition, our proposed method runs much faster than the prevalent optimization-based schemes. To facilitate reproducible research, codes, models and data are publicly available at https://github.com/winterwindwang/SpeechAdvGan.

Rui Yang,Tian-Jie Cao,Xiu-Qing Chen,Feng-Rong Zhang

DOI: https://doi.org/10.1016/j.cose.2021.102457

2021-12-01

Abstract:Some recent studies have demonstrated that the deep neural network (DNN) is vulnerable to adversarial examples, which contain some subtle and human-imperceptible perturbations. Although numerous countermeasures have been proposed and play a significant role, most of them all have some flaws and are only effective for certain types of adversarial examples. In the paper, we present a novel and universal countermeasure to recover multiple types of adversarial examples to benign examples before they are fed into the deep neural network. The idea is to model the mapping between adversarial examples and benign examples using a generative adversarial network (GAN). Its GAN architecture consists of a generator based on UNET, a discriminator based on ACGAN, and a newly added third-party classifier. The UNET can enhance the capacity of the generator to recover adversarial examples to benign examples. The loss function makes full use of the advantages of ACGAN and WGAN-GP to ensure the stability of the training process and accelerate its convergence. Besides, a classification loss and a perceptual loss, all from the third-party classifier, are employed to improve further the generator's capacity to eliminate adversarial perturbations. Experiments are conducted on the MNIST, CIFAR10, and IMAGENET datasets. First, we perform ablation experiments to prove the proposed countermeasure's validity. Then, we defend against seven types of state-of-the-art adversarial examples on four deep neural networks and compare them with six existing countermeasures. Finally, the experimental results demonstrate that the proposed countermeasure is universal and has a more excellent performance than other countermeasures. The experimental code is available at https://github.com/Afreadyang/IAED-GAN.

computer science, information systems

Youheng Sun,Shengming Yuan,Xuanhan Wang,Lianli Gao,Jingkuan Song

2024-07-17

Abstract:Targeted adversarial attack, which aims to mislead a model to recognize any image as a target object by imperceptible perturbations, has become a mainstream tool for vulnerability assessment of deep neural networks (DNNs). Since existing targeted attackers only learn to attack known target classes, they cannot generalize well to unknown classes. To tackle this issue, we propose $\bf{G}$eneralized $\bf{A}$dversarial attac$\bf{KER}$ ($\bf{GAKer}$), which is able to construct adversarial examples to any target class. The core idea behind GAKer is to craft a latently infected representation during adversarial example generation. To this end, the extracted latent representations of the target object are first injected into intermediate features of an input image in an adversarial generator. Then, the generator is optimized to ensure visual consistency with the input image while being close to the target object in the feature space. Since the GAKer is class-agnostic yet model-agnostic, it can be regarded as a general tool that not only reveals the vulnerability of more DNNs but also identifies deficiencies of DNNs in a wider range of classes. Extensive experiments have demonstrated the effectiveness of our proposed method in generating adversarial examples for both known and unknown classes. Notably, compared with other generative methods, our method achieves an approximately $14.13\%$ higher attack success rate for unknown classes and an approximately $4.23\%$ higher success rate for known classes. Our code is available in <a class="link-external link-https" href="https://github.com/VL-Group/GAKer" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence

Xiao Yang,Yinpeng Dong,Tianyu Pang,Hang Su,Jun Zhu

DOI: https://doi.org/10.48550/arXiv.2107.01809

2022-07-22

Abstract:Transfer-based adversarial attacks can evaluate model robustness in the black-box setting. Several methods have demonstrated impressive untargeted transferability, however, it is still challenging to efficiently produce targeted transferability. To this end, we develop a simple yet effective framework to craft targeted transfer-based adversarial examples, applying a hierarchical generative network. In particular, we contribute to amortized designs that well adapt to multi-class targeted attacks. Extensive experiments on ImageNet show that our method improves the success rates of targeted black-box attacks by a significant margin over the existing methods -- it reaches an average success rate of 29.1\% against six diverse models based only on one substitute white-box model, which significantly outperforms the state-of-the-art gradient-based attack methods. Moreover, the proposed method is also more efficient beyond an order of magnitude than gradient-based methods.

Machine Learning,Artificial Intelligence

Minxuan Lv,Chengwei Dai,Kun Li,Wei Zhou,Songlin Hu

DOI: https://doi.org/10.18653/v1/2023.emnlp-main.340

2023-01-01

Abstract:Neural network models are vulnerable to adversarial examples, and adversarial transferability further increases the risk of adversarial attacks. Current methods based on transferability often rely on substitute models, which can be impractical and costly in real-world scenarios due to the unavailability of training data and the victim model’s structural details. In this paper, we propose a novel approach that directly constructs adversarial examples by extracting transferable features across various tasks. Our key insight is that adversarial transferability can extend across different tasks. Specifically, we train a sequence-to-sequence generative model named CT-GAT (Cross-Task Generative Adversarial Attack) using adversarial sample data collected from multiple tasks to acquire universal adversarial features and generate adversarial examples for different tasks.We conduct experiments on ten distinct datasets, and the results demonstrate that our method achieves superior attack performance with small cost.

Jianyi Liu,Yu Tian,Ru Zhang,Youqiang Sun,Chan Wang

DOI: https://doi.org/10.1109/access.2020.3037329

IF: 3.9

2020-01-01

IEEE Access

Abstract:Deep neural networks (DNNs) have achieved great success in various applications due to their strong expressive power. However, recent studies have shown that DNNs are vulnerable to adversarial examples, and these manipulated instances can mislead DNN into making false predictions. The existing methods of generating adversarial examples include pixel-level perturbation or spatial transformation of images, which cannot consider concurrently with the semantic quality of adversarial examples or success rate of attack. These methods are computationally bulky and slow to generate the adversarial examples. To solve this kind of issue, a two-stage generative adversarial networks (TSGAN) with semantic content constraints is proposed in this paper. The first-stage uses the original example dataset to train generator G, which can help the generator learn the distribution of real examples. Then, the example semantic quality constraint loss function, the adversarial loss function and the distance loss function are adopted in the second-stage, so that the generator G can continue to learn to search the distribution of the adversarial examples, and train the new generator G(adv). The adversarial examples generated by generator G(adv) are better fit the distribution of real examples, and have targeted black-box attack capability. The experiments show that the adversarial examples generated by TSGAN can achieve the success rate of attack at 98.40% in target model, 29.40% success rate in defense-oriented model. And 77.58% success rate is obtained in the transfer test attack. The results show that the adversarial examples generated by the proposed model, which has a highly attack success rate and more difficult to defense. Meanwhile, the improved adversarial examples have stronger transfer ability than the existing models. The proposed model can effectively reduce the expression of target category features of the adversarial examples, and the generated adversarial examples have better semantic quality than others.

Mao Xiaofeng,Chen Yuefeng,Li Yuhong,He Yuan,Xue Hui

2020-01-01

Abstract: Adversarial examples are perturbed inputs which can cause a serious threat for machine learning models. Finding these perturbations is such a hard task that we can only use the iterative methods to traverse. For computational efficiency, recent works use adversarial generative networks to model the distribution of both the universal or image-dependent perturbations directly. However, these methods generate perturbations only rely on input images. In this work, we propose a more general-purpose framework which infers target-conditioned perturbations dependent on both input image and target label. Different from previous single-target attack models, our model can conduct target-conditioned attacks by learning the relations of attack target and the semantics in image. Using extensive experiments on the datasets of MNIST and CIFAR10, we show that our method achieves superior performance with single target attack models and obtains high fooling rates with small perturbation norms.

Guoyin Zhang,Qingan Da,Sizhao Li,Jianguo Sun,Wenshan Wang,Qing Hu,Jiashuai Lu

DOI: https://doi.org/10.1504/ijbic.2022.126789

2022-01-01

International Journal of Bio-Inspired Computation

Abstract:Deep neural networks are susceptible to adversarial examples which can mislead or even manipulate the predictive behaviour of deep neural networks. This raises concerns about the safety of deep learning. In this paper, to ensure rapid generation of adversarial examples, we propose an adversarial transformation network with adaptive perturbations by using the framework of a generative adversarial network. For the adversarial training phase, the direction of the adversarial perturbation is adaptively adjusted to generate more adversarial examples with transferability. Besides, the perceptual constraint based on game theory, the pixel-level constraint based on mixed norms, and the target constraint based on the C$W method are introduced to guide the optimisation of the generator. Experiments conducted on MNIST, CIFAR-10, and ImageNet show the proposed algorithm can generate adversarial examples with stronger attack abilities in a shorter time. And the proposed algorithm can generate more transferable adversarial examples when attacking models with similar structures.

YU Tingyue,WANG Shen,ZHANG Chunrui,WANG Zhenbang,LI Yetian,YU Xiangzhan

DOI: https://doi.org/10.1049/cje.2021.06.009

IF: 1.019

2021-09-01

Chinese Journal of Electronics

Abstract:In recent years, adversarial examples has become one of the most important security threats in deep learning applications. For testing the security of deep learning models in adversarial environment, many researches focus on generating adversarial examples quickly and efficiently. In order to solve the problems of existing generative adversarial networks based methods which can not effectively generate the targeted adversarial examples in black box settings, and to improve the temporal performance of gradient-based generating methods, an adversarial examples generating method based on conditional Variational autoencoder (cVAE) is proposed in this paper, where a cVAE is designed elaborately to generate adversarial examples without most of the detailed information about the attacked deep learning models, of which the output can be controlled arbitrarily by these crafted inputs, used to test the robustness of deep learning models against adversarial examples. The experimental results show that the proposed method can achieve a comparable attack success rate and a better temporal performance than the existing gradient-based generating methods in black box environment.

engineering, electrical & electronic